What counts as a validation?

Each email address checked through the Mailchk API counts as one validation. Cached results for the same email within 24 hours do not count against your limit.

Can I upgrade or downgrade at any time?

Yes, you can change your Mailchk plan at any time. Upgrades take effect immediately, and downgrades take effect at the start of your next billing cycle.

Is there a free trial for paid plans?

Yes, all paid Mailchk plans come with a 14-day free trial. No credit card required to start.

What happens if I exceed my monthly limit?

You will receive a notification when you reach 80% and 100% of your limit. If you have credit balance, validations will automatically use your credits as overflow. You can also upgrade your plan for a higher monthly limit.

Credits are a pay-as-you-go option. 1 credit = 1 email validation. Buy a credit pack any time — credits are used automatically when your monthly subscription limit is reached. Credits expire 1 year from your most recent purchase, and each new purchase extends the expiry date.

What does the Mailchk Enterprise plan include?

Mailchk Enterprise plans are fully customised to your needs. This includes unlimited validations, advanced validation features (catch-all detection, mailbox existence checking, greylisting detection), dedicated infrastructure, custom SLAs, an account manager, SSO, and invoice-based billing.

Documentation

API Documentation

Integrate disposable email detection into your application with our simple REST API.

Email ValidationEmail Testing SMS Testing

Quick Start

curl -X GET "https://api.mailchk.io/v1/check?email=test@example.com"

Base URL

https://api.mailchk.io

Authentication

All API requests must be authenticated using an API key. Include your API key in the x-api-key header with every request.

Getting Your API Key

1.Sign up for a free account at mailchk.io/signup
2.Go to your Dashboard → API Keys
3.Click "Create API Key" to generate a new key
4.Copy your key and store it securely (you won't be able to see it again)

Keep your API keys secure

Never expose API keys in client-side code, public repositories, or share them publicly. Use environment variables to store keys securely.

Example Authentication

Include your API key in the x-api-key header:

curl -X GET "https://api.mailchk.io/v1/check?email=test@example.com" \
  -H "x-api-key: YOUR_API_KEY"

Endpoints

GET /v1/check?email=test@example.com

Check a single email address for disposable domain detection, MX records, and risk scoring.

Response

{
  "email": "test@example.com",
  "domain": "example.com",
  "valid": true,
  "disposable": false,
  "scam_domain": false,
  "mx_exists": true,
  "mx_records": [
    { "exchange": "mx1.example.com", "priority": 10 }
  ],
  "blacklisted_mx": false,
  "free_email": false,
  "did_you_mean": "",
  "risk_score": "low",
  "risk_factors": [],
  "email_provider": "Google Workspace",
  "deliverability_score": 95,
  "spf": "pass",
  "dmarc": "pass",
  "normalized_email": "test@example.com",
  "is_aliased": false,
  "alias_type": null
}

POST /v1/check

Check a single email address using JSON body.

Request Body

{
  "email": "test@example.com"
}

Response

{
  "email": "test@example.com",
  "domain": "example.com",
  "valid": true,
  "disposable": false,
  "scam_domain": false,
  "mx_exists": true,
  "blacklisted_mx": false,
  "free_email": false,
  "did_you_mean": "",
  "risk_score": "low",
  "risk_factors": [],
  "email_provider": "Google Workspace",
  "deliverability_score": 95,
  "spf": "pass",
  "dmarc": "pass",
  "normalized_email": "test@example.com",
  "is_aliased": false,
  "alias_type": null
}

POST /v1/check/bulk

Check multiple email addresses in a single request (max 100).

Request Body

{
  "emails": [
    "test@example.com",
    "fake@tempmail.com"
  ]
}

Response

{
  "results": [
    {
      "email": "test@example.com",
      "domain": "example.com",
      "valid": true,
      "disposable": false,
      "scam_domain": false,
      "mx_exists": true,
      "blacklisted_mx": false,
      "free_email": false,
      "did_you_mean": "",
      "risk_score": "low",
      "risk_factors": [],
      "email_provider": "Google Workspace",
      "deliverability_score": 95,
      "spf": "pass",
      "dmarc": "pass",
      "normalized_email": "test@example.com",
      "is_aliased": false,
      "alias_type": null
    },
    {
      "email": "fake@tempmail.com",
      "domain": "tempmail.com",
      "valid": false,
      "disposable": true,
      "scam_domain": false,
      "mx_exists": false,
      "blacklisted_mx": false,
      "free_email": false,
      "did_you_mean": "",
      "risk_score": "critical",
      "risk_factors": ["disposable_domain", "no_mx_records"],
      "reason": "Disposable email domain detected",
      "email_provider": null,
      "deliverability_score": 0,
      "spf": "none",
      "dmarc": "none",
      "normalized_email": "fake@tempmail.com",
      "is_aliased": false,
      "alias_type": null
    }
  ]
}

Response Fields

Field	Type	Description
email	string	The normalized email address
domain	string	The domain portion of the email
valid	boolean	Whether the email format is valid
disposable	boolean	Whether the domain is a known disposable email provider
scam_domain	boolean	Whether the domain is flagged as scam, phishing, or malicious (470K+ domains, updated daily)
mx_exists	boolean	Whether the domain has MX records (can receive email)
mx_records	array?	List of MX records with exchange and priority (if available)
blacklisted_mx	boolean	Whether any MX server IP is found on a DNS blacklist (DNSBL)
free_email	boolean	Whether the domain is a free email provider (Gmail, Yahoo, etc.)
did_you_mean	string	Suggested correction if a common typo is detected
risk_score	string	Risk level: "low", "medium", "high", or "critical"
risk_factors	array	List of detected risk factors (e.g., "disposable_domain")
reason	string?	Human-readable explanation when email has issues
normalized_email	string	The canonical mailbox address with aliases stripped (dots, plus tags, provider aliases)
is_aliased	boolean	Whether the email uses aliasing (plus tags, dot tricks, domain aliases)
alias_type	string?	Type of alias: "plus_addressing", "dot_variation", "provider_alias", or "subdomain_addressing"

Risk Factors

Factor	Weight	Description
invalid_format	Critical	Email format is invalid (instant fail)
disposable_domain	+80	Domain is a known disposable email provider
scam_domain	+85	Domain flagged as scam, phishing, or malicious (470K+ domains, updated daily)
no_mx_records	+70	Domain has no MX records (cannot receive email)
blacklisted_mx	+40	MX server IP is listed on a DNS blacklist (Spamcop, Barracuda, DroneBL)
possible_typo	+60	Domain appears to be a typo of a common provider
suspicious_pattern	+25	Local part has suspicious patterns (random chars)
role_account	+15	Role-based email (admin@, info@, support@)
free_provider	+5	Free email provider (Gmail, Yahoo, etc.)

Risk Score Levels

low

0-14 points. Safe to accept.

medium

15-39 points. Review recommended.

high

40-69 points. Consider rejecting.

critical

70+ points. Reject recommended.

Error Codes

400

Bad Request

Missing or invalid parameters

401

Unauthorized

Invalid or missing API key

429

Too Many Requests

Rate limit exceeded

500

Internal Server Error

Something went wrong on our end

Webhooks

Pro & Business

Receive real-time HTTP POST notifications when email validations complete. Configure webhooks in your dashboard settings.

How It Works

Configure URL

Add your HTTPS endpoint in dashboard settings

Validate Emails

Use the API as normal to validate emails

Receive Events

We POST results to your endpoint in real-time

Verify Signature

Validate HMAC-SHA256 signatures for security

Event Types

Event	Description	Trigger
validation.completed	An email validation has finished	After each API validation request

Payload Format

Each webhook delivery includes these headers and a JSON body:

Headers

Content-Type	application/json
X-Webhook-Signature	HMAC-SHA256 signature: `v1=<hex-digest>`
X-Webhook-Timestamp	Unix timestamp (seconds) when the event was sent
User-Agent	Mailchk-Webhooks/1.0

Body

{
  "event": "validation.completed",
  "timestamp": "2025-01-15T10:30:00.000Z",
  "data": {
    "email": "user@example.com",
    "domain": "example.com",
    "valid": true,
    "disposable": false,
    "mx_exists": true,
    "blacklisted_mx": false,
    "free_email": false,
    "did_you_mean": "",
    "risk_score": "low",
    "risk_factors": [],
    "email_provider": "Google Workspace",
    "deliverability_score": 95,
    "spf": "pass",
    "dmarc": "pass"
  }
}

Verifying Signatures

Always verify webhook signatures to ensure requests are from Mailchk. The signature is computed as HMAC-SHA256(secret, timestamp + "." + body).

const crypto = require('crypto');

function verifyWebhook(payload, signature, timestamp, secret) {
  const message = `${timestamp}.${payload}`;
  const expected = crypto
    .createHmac('sha256', secret)
    .update(message)
    .digest('hex');
  return signature === `v1=${expected}`;
}

// In your webhook handler:
app.post('/webhooks/mailchk', (req, res) => {
  const signature = req.headers['x-webhook-signature'];
  const timestamp = req.headers['x-webhook-timestamp'];
  const body = JSON.stringify(req.body);

  if (!verifyWebhook(body, signature, timestamp, WEBHOOK_SECRET)) {
    return res.status(401).send('Invalid signature');
  }

  // Process the event
  console.log('Event:', req.body.event);
  console.log('Email:', req.body.data.email);
  res.status(200).send('OK');
});

Delivery & Retries

Your endpoint must respond with a 2xx status code within 10 seconds to acknowledge delivery.

Failed deliveries are retried up to 3 times with exponential backoff.

Webhook URLs must use HTTPS. HTTP endpoints are not supported.

You can view delivery history and send test events from your dashboard.

Up to 3 webhook endpoints can be configured per account.

Official SDKs & Plugins

Skip the boilerplate. Use our official libraries for your language.

Node.js

npm install @mailchk/sdk

Python

pip install mailchk

PHP

composer require mailchk/mailchk-php

WordPress

Download from plugin directory

View All SDKs & Plugins